Chat bot opens door to Ticketmaster payment card hack

Online ticket sales firm Ticketmaster on Wednesday revealed a breach that exposed payment card data of tens of thousands of customers in the UK and Australia.

At the heart of the breach was a chat bot service that Ticketmaster integrated into its payment page from its third-party supplier, Inbenta.

The partners are now laying blame for the breach on each other, while a third unrelated company, digital bank startup Monzo, said it warned Ticketmaster about a possible breach in April, some two months before Ticketmaster said it discovered the breach.

Ticketmaster has posted a page describing a “data security incident by a third party supplier” that says on Saturday June 23 its UK headquarters discovered malware on a customer support product hosted by Inbenta.

The software was embedded within payment pages on Ticketmaster UK and International websites, meaning it potentially affected customers in the UK, as well as Australia, New Zealand, France, Ireland, Germany, and Spain. US customers were not affected.

“As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites,” said Ticketmaster, which estimates less than 5 percent of its global customers was affected.

The BBC reports that around 40,000 UK residents were affected. The UK's National Crime Agency said it is investigating the incident while the National Cyber Security Centre (NCSC) has posted advice for affected users.

Inbenta has posted its own notice that pushes blame back on to Ticketmaster. The company said it customized JavaScript code solely for Ticketmaster, so this code is not present in other customers’ implementations of its technology.

Inbenta said Ticketmaster, unbeknownst to it, used the custom script on its payments page, which it claims it would have advised against had it known it would have been used in this way.

“We were unaware of this, and would have advised against doing so had we known, as it presents a point of vulnerability that affects the capacity for web forms to upload files. It appears that the attacker used this vulnerability. We disabled this script as soon as possible, thereby preventing any further breaches at this implementation,” Inbenta said.

The contractor was hosting the script on behalf of Tickmaster, however claims it can’t monitor which web pages its customers are embedding those scripts on.

Following Tickmaster’s public disclosure, Monzo said it alerted Ticketmaster about a possible breach in April after receiving reports from about 50 customers regarding fraudulent transactions and noticed that 70 percent of reports came from customers who used their cards with Ticketmaster between December 2017 and April 2018.

“This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster,” wrote Monzo.

After spotting a few more fraudulent transactions the company contacted Ticketmaster directly, and were told by its security team they would investigate the issue.

Further fraudulent transactions it traced back to past Ticketmaster purchases prompted it to replace six thousand Monzo cards that had been used with the ticking company.

On April 19, Monzo said Ticketmaster informed it that the investigation had turned up no evidence of a breach and that it was the only bank reporting instances of fraud linked to Ticketmaster purchases.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.